Heap Buffer Overflow on SDL_FillRect pertaining to SDL_video

[SDLBugzilla]

This bug report was migrated from our old Bugzilla tracker.

These attachments are available in the static archive:

• Fix (0001-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch, text/plain, 2019-02-18 13:19:39 +0000, 6947 bytes)

Reported in version: HG 1.2
Reported for operating system, platform: Linux, x86_64

Comments on the original bug report:

On 2019-02-07 13:46:27 +0000, Radue wrote:

PoC

A heap buffer overflow vulnerability was discovered in SDL-1.2.15 library.

Asan output:

=================================================================
==25760==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f02111c5080 at pc 0x7f0216173b6a bp 0x7ffe2d19de10 sp 0x7ffe2d19de08
WRITE of size 4 at 0x7f02111c5080 thread T0
# 0 0x7f0216173b69 in SDL_FillRect /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/video/SDL_surface.c:610:5
# 1 0x7f0216178d3d in SDL_ClearSurface /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/video/SDL_video.c:507:2
# 2 0x7f0216178d3d in SDL_SetVideoMode /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/video/SDL_video.c:729
# 3 0x4dcf68 in CreateScreen /home/radu/apps/sdl_player_lib/SDL-1.2.15/test/graywin.c:112:11
# 4 0x4dd9d5 in main /home/radu/apps/sdl_player_lib/SDL-1.2.15/test/graywin.c:192:11
# 5 0x7f0214e4e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
# 6 0x435588 in _start (/home/radu/apps/sdl_player_lib/SDL-1.2.15/test/graywin+0x435588)

0x7f02111c5080 is located 0 bytes to the right of 31455360-byte region [0x7f020f3c5800,0x7f02111c5080)
allocated by thread T0 here:
# 0 0x4bc552 in malloc (/home/radu/apps/sdl_player_lib/SDL-1.2.15/test/graywin+0x4bc552)
# 1 0x7f02161ada7c in X11_SetupImage /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/video/x11/SDL_x11image.c:105:20

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/video/SDL_surface.c:610 SDL_FillRect
Shadow bytes around the buggy address:
0x0fe0c22309c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe0c22309d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe0c22309e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe0c22309f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe0c2230a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe0c2230a10:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe0c2230a20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe0c2230a30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe0c2230a40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe0c2230a50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe0c2230a60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==25760==ABORTING

Reproducing steps:

1. Download SDL-1.2.15 library
2. ./configure with Asan enabled
3. ./make
4. sudo make install
5. cd examples
6. ./configure with Asan enabled
7. make
8. cd test
9. ./graywin -width 21312312313123213213213

On 2019-02-10 14:58:42 +0000, Radue wrote:

Assigned CVE-2019-7637 by MITRE.

On 2019-02-18 11:13:55 +0000, Petr Pisar wrote:

Width value from "./graywin -width 21312312313123213213213" command is misinterpreted (atoi()) as -1 and then passed as Uint16 argument to CreateScreen() function. Since then the width has value 65535 and travels to SDL_CalculatePitch() where width (65535) is multiplied by BytesPerPixel (4) and the result is stored into Uint16 pitch. Here is the root cause because the pitch is clamped as 65532. As a result SDL_Surface with a pitch smaller than width * BytesPerPixel is created, too small pixel buffer is allocated and when the SDL_Surface is processed in SDL_FillRect a buffer overflow occurs.

On 2019-02-18 13:19:39 +0000, Petr Pisar wrote:

Created attachment 3630
Fix

On 2019-03-17 02:17:42 +0000, Sam Lantinga wrote:

Fixed, thanks!
https://hg.libsdl.org/SDL/rev/9b0e5c555c0f

On 2019-06-27 23:11:34 +0000, Anselmo L. S. Melo wrote:

According to the description of CVE-2019-7637, this issue also affects SDL2 <= 2.0.9. Is that accurate?

On 2019-07-01 06:41:52 +0000, Sam Lantinga wrote:

No, SDL 2.0 is not vulnerable, this was fixed here:
https://hg.libsdl.org/SDL/rev/81a4950907a0

On 2019-08-01 21:36:39 +0000, Ozkan Sezer wrote:

(In reply to Sam Lantinga from comment # 4)

Fixed, thanks!
https://hg.libsdl.org/SDL/rev/9b0e5c555c0f

This patch made copy+paste mistakes which resulted in
windows versions failing to set video mode. Fixed now:
https://hg.libsdl.org/SDL/rev/32075e9e2135